Long time lurker, first post and hoping not to be hit by lightning facing the gods of XSS :)

Today I thought it was a nice day to play a little bit with the php sanitation filters, see how they work and how to bypass them. Since I'm lazy and not a coder I took the easy way; I downloaded XAMPP and DVWA.

I looked at the medium level of the reflective XSS exercise and thought that would be a nice place to start.

I tried to evade this using several encondings and injections but was unsuccessful so I figured I was time trying something easier.

Looking at the various php sanitation filters I thought filter_var in combination with FILTER_SANITIZE_EMAIL would be easier to exploit since it allows you to use things like & and % and sanitizes things like ", < and >.

However, to my frustration even these very basic filters seem to successfully stop all my attempts. I already spent an hour in Google looking for php evasion attacks, but they all assume you can use ", >, or / which is sanitized by the php filter.

As you can imagine I feel very stupid now and almost don't dare to admit this, but I feel I am missing something very basic here ...